Splunk Search

Individual results for stats in a chart.

StuReeves
Explorer

I'm pretty sure this is going to be very obvious but it's one of those days again.

I've a field Duration_Seconds to establish length of calls going through the system. I'm trying to display say the top 20 longest calls, however, whatever I try, it basis the results on total count, not length.

So even if I have a hundred calls at 30 seconds long that's not what I'm after, I,m after the individual call at 12257 seconds, 10545 seconds, 10140 seconds etc. However, if I have 5 calls at 900 seconds, I still need to see those as separate instances.

Does that make sense?

The search I'm using is:

host=*|search Code_Dialled=9 Duration_Seconds=* |sort - "Duration_Seconds"

which gives me it as a search, it's the last bit I'm stumped on.

Thanks again,
Stu..

0 Karma
1 Solution

StuReeves
Explorer

Hi thanks for getting back. It gives pretty much what i already have. The issue is when I try and chart it say using top 100 "Call_Duration" it goes back to giving me the top number by count, so I have 5 calls at 425 seconds as my number one in the chart. I'd ideally like to show say the top 20 / 50, so if I have 5 calls all at 999, they are all shown as individual calls.
So if I search it give me the below, which is perfect.

alt text

But what I actually get using, say Top 20.... is
alt text

Hopefully this makes a little more sense

View solution in original post

0 Karma

StuReeves
Explorer

Hi thanks for getting back. It gives pretty much what i already have. The issue is when I try and chart it say using top 100 "Call_Duration" it goes back to giving me the top number by count, so I have 5 calls at 425 seconds as my number one in the chart. I'd ideally like to show say the top 20 / 50, so if I have 5 calls all at 999, they are all shown as individual calls.
So if I search it give me the below, which is perfect.

alt text

But what I actually get using, say Top 20.... is
alt text

Hopefully this makes a little more sense

0 Karma

rjthibod
Champion

First, when responding to an answer, it is best to put your response as a comment to the answer and not a new answer. Use the "Add comment" link below the answer to do this.

Regarding your question. What do you want on the x-axis of the chart? Do you want time? If not, please clarify.

0 Karma

StuReeves
Explorer

Ooops sorry about that.

Good point on the X axis never thought about that.
It would be a field called Called_Number (not shown on the sample)

So X would be the number they dialled and Y would be the amount of time they spent on that (long) call.

Thanks again,

Stu..

0 Karma

rjthibod
Champion

Then try this search.

host=* Code_Dialled=9 Duration_Seconds=* | sort 20 -"Duration_Seconds | table "Called_Number" "Duration_Seconds"

And play with that in the Search app where you can choose a Column chart.

0 Karma

StuReeves
Explorer

Brilliant thanks. It needs a little tweaking ( more cosmetic than anything else) but it's sent me down the right path.

I can normally brute force my way when learning new systems, but it's nice to have help when you need it and coming from a non-db / programming backgrounding, this forum is a great help thanks to the contribrutors.

0 Karma

rjthibod
Champion

This is what I think you want. Note, your search pipeline segment should be moved to the first part of the query. Here is what i mean.

host=* Code_Dialled=9 Duration_Seconds=* | sort 20 -"Duration_Seconds"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...